Saturday, 28 January 2023

F.A.Q.

Implementation of measures to protect digital systems, networks and software applications from digital attacks. Such attacks are usually aimed at gaining access to sensitive information, altering and deleting it, extorting money from users, or disrupting the normal operation of organizations.

Implementation of effective cybersecurity measures is a quite challenge at present time, as there are more devices than people today, and attackers are getting more sophisticated every day, and the nature of threats is changing ever more quickly.

Users must understand and respect the basic cybersecurity principles. Examples of these principles include choosing strong passwords, being careful with email attachments, and backing up your data.

According to the legislation of Turkmenistan, each organization should develop a set of cybersecurity measures that should be approved by management and used by employees as a guideline. This guideline should contain information on how to detect an attack, protect systems, identify and prevent threats, as well as information on restoring the system availability after the attack. Education of employees at high level in cybersecurity make a major contribution to prevent such threats.

Technology is an essential element in providing organizations and individuals with the tools they need to defend against cyberhreats. The main assets that need to be protected are endpoints, i.e. computers, mobile phones, smart devices, as well as networks and cloud systems. The most common technologies used to protect these assets include Next Generation Firewalls, antiviruses, anti-malware solutions, and email security solutions.

Successful cybersecurity measures are realized as a “multi-level protection” that cover computers, networks, programs, or data. Staff members, technology and cybersecurity activities, all together may prevent cyber threats in a complementary way.

Critical infrastructure protection refers to automatic control systems of production and technological processes of critical objects in the country, as well as a set of information technology systems and communication channels designed to ensure public administration, defense, security and order. Owners of critical information objects are called subjects of critical information infrastructures. Evaluation of critical objects is carried out according to the following principles:

1) Social significance - possible damage to the life or health of people, objects that ensure the vital activity of the population, disruption or termination of the operation of transport and communication systems, as well as the possible long-term unavailability of public services for persons using such services;

2) Policy significance - damage  that could be caused to the internal and external political interests of Turkmenistan;

3) Economic significance - direct and indirect damage that could be caused to the budget of Turkmenistan and the subjects of critical information infrastructures;

4) Environmental significance - damage  that could be caused to the environment;

5) Damage that could be caused to critical objects of information infrastructure that ensure the protection of the state, the security of the country and the rule of law.

The ability to perform the assigned tasks within the established timeframe and within the established procedure and conditions of use. The reliability of systems, as a complex concept, includes the following concepts:

Uninterrupted operation of the system - the ability to continuously maintain the operating state of the system for a specified period of time;

Maintaining the system in an active state - the ability to maintain serviceability and uniformity of the system for a given period of time;

Maintainability - if necessary, the ability to quickly eliminate existing system defects, as well as the ability to download and install software updates;

System backup - the ability to restore the system after failures in the system for various reasons;

To determine the reliability of information systems, it is necessary to determine their constituent components. Information systems consist of 3 main components:

  • people
  • processes
  • technologies

It is necessary to divide the last definition into two parts and study them separately in the modern information technology:

  • Hardware
  • Software

There is a significant difference between these two definitions. Hardware is physically affected. There can be various impacts on hardware equipment, such as the protection of objects where systems are located, environmental influences, the effects of natural and technogenic phenomena, and etc.

On the other side, software is isolated from the physical environment and cannot be affected by the physical influences mentioned above. It is an artificially created logical environment and is very complex.

This is a set of causes and conditions that pose a threat of information security breach, which is aimed at the information infrastructure of organizations, computer equipment, mobile communications and other technical equipment.

An incident related to the disruption or interruption of the operation of information infrastructure objects, telecommunication systems that ensure interaction between them, as well as a violation of the information security processed by these objects.

2FA (two-factor authentication) is an additional security method designed to recognize and protect a user account when logging into any system. Recognition and protection is achieved not only by entering the user's login and password, but also by entering a code that is known only to the owner of the account.

This is a file that contains information about the operation of a server or computer and records the activities of the user or program.

The word Botnet is derived from robot and network. A botnet is a network that consists of computers, mobile phones, tablets and even refrigerators or vacuum cleaners used in homes and infected with malicious viruses, that is, all devices connected to the Internet. Cybercriminals use special software to bypass the security measures of these devices, and also connect them to a single network and control them remotely.

It is a technology for sending and receiving electronic messages and the services provided by this technology. Email technology allows to send and receive files in addition to ordinary text.

Signature is the fingerprint of a computer virus or attack used to detect them. Most modern antiviruses, vulnerability scanners and intrusion detection systems (IDS) use signatures taken from the virus file or request packets in their work.

This is a hardware-software complex that is deployed in organizations and connected to the Security Operations Center (SOC). The Sensor box sends information to the devices of Security Operations Center (SOC) about cyberthreats, ongoing cyberattacks, detected viruses and similar cyberincidents detected in corporate networks.

Encryption is the protection of information against unauthorized viewing or use, which is based on a method of converting information into cipher text. Decryption of the text, that is, restoration of the original form of the text, is possible only with the help of the key used to encrypt this information.

The IoT (Internet of Things) is the network of Internet-connected things that surround us. If a car, iron, vacuum cleaner, electric kettle and other devices used in human life are connected to the Internet, they can be called an IoT.

An update is an update of the software to the latest version. An update is usually released as a "patch", that is, a piece of information that changes the source code of a program. Patches are used to fix bugs in the code and add new features to the software.

The impact of the program and set of hardware and software tools, aimed at disrupting and (or) stopping the operation of information infrastructure objects, telecommunication systems that ensure the interaction of these objects, endangering the security of data processed at these objects. Today, the number and types of cyberattacks are increasing day by day, and the conditions for their implementation are simplifying. Below are the most common types of cyberattacks and their features.

DoS (Denial of Service) is a malicious activity aimed to bring a computer system to the point when it cannot serve users or perform its intended functions correctly. The attack is carried out by creating a large number of requests and a serious load on equipment, most often on large servers.

There are server limits for applications that can run concurrently. The communication channels connecting the server to the Internet also have limited bandwidth. Accordingly, the server cannot handle a large number of simultaneous requests, while the sending side is trying to use the attacking server's Internet connection bandwidth and memory. Because of this "weight", the server has to refuse to serve regular users. The ultimate goal is to disable the system and do harm to the owner of the system.

DDoS (Distributed Denial of Service) is an attack in which simultaneous requests are sent from a large number of IP addresses. A characteristic feature related to this attack causes a large amount of damage on the attacked system. The word "distributed", which is in the name of the attack, also comes from this, that is, the attack is distributed to devices using their IP addresses. Typically, an attacker sends such requests from multiple compromised systems. In many cases, the owners of these devices are unaware that such messages are being sent on their behalf. DoS and DDoS attacks can last from a few minutes to several days.

It is the use of a person's weakness to illegally obtain a user's personal information or to unauthorized access to his or her device to upload malicious software. For example, an attack is carried out by collecting information about the employees of a target organization using a simple phone call or entering an office as an employee of that institution. Thus, we can give an example of how to receive the necessary information by calling an employee of the organization and saying that this is a call from the technical support service and that he needs his password in order to eliminate a small disruption of the computer network. Offenders often use the experience of social engineering, because using this method, collecting sensitive information is easier than hacking systems using computer attacks.

Phishing is a type of social engineering attack. Phishing is the process of distributing fake emails that look like emails from a trusted source. Typically, these actions are usually carried out via email. The purpose of such actions is to steal personal and confidential information (credit card or account information) or install malicious software on the victim's device. Phishing is the most common type of cyberattack, and every user needs to be aware of it in order to provide the necessary protection.

When carrying out phishing, a fake email is first sent to mislead the user. This letter looks like a letter that came from a trusted source. If the user believes this message and opens it, then the user will be prompted to enter a preprepared fake website, by entering this website the user allows access to personal and confidential information or download malicious software to the device. One way to protect organizations from phishing attacks is to increase employee cybersecurity knowledge.

It is one of the most common ways to hack websites and database applications, based on the injection of SQL code into a query for the site and applications.

SQL injection, depending on the type of DBMS used and the conditions of injection, can make it possible to execute an arbitrary query to the database (for example, read the contents of any tables, delete, change or add data), get the ability to read and/or write local files and execute commands on the attacked server.

This is one of the ways to disrupt the normal operation of sites written in PHP by injecting third-party php code into the attacked site.

This is the injection of malicious code into any page on the site and the interaction of this code with the attacker's web server if the user opens this page. Thus, the user also needs to “participate” to some extent in order to carry out this attack. Malicious code that can be inserted into a website page, either through a vulnerability in the web server or through a vulnerability on the user's computer. Cross-site scripting can also be used to carry out DoS attacks.

A technique used to impersonate another user to trick a network device or user. An example of a spoofing attack is IP, DNS or email spoofing.

In implementing IP spoofing, a foreign IP address is indicated in the IP packets sent by the hacker, so when a response message is sent to the sending party, these messages are sent to the victim's device, and not to the hacker. Accordingly, an Internet user who is not aware of these actions sees messages coming from unknown addresses.

DNS - spoofing is changing the DNS server settings and redirecting the domain name to the hacker's IP address.

Email spoofing involves spoofing the header of a message to hide its source.

Man-in-the-middle is the theft by a third party of information exchanged between two parties by connecting to a communication channel. This can be done by changing the settings of the DNS server, the hosts file, or using other similar methods. For example, when sender accesses the bank website and uses the "internet banking" service, all information will pass through the node of the third party. Thus, a third party will be able to steal all information about the user, including name, password, user PIN and other data.

A deface is a form of cyberattack in which the home page or other important page of a website is replaced by provocative and inappropriate page (threatening, defamatory, advertising, warning, etc.). In most cases, after a successful attack, access to other pages of the site is blocked by intruders or information on the site is completely deleted.

An exploit is a program, piece of software code, or a sequence of commands that takes advantage of the vulnerabilities in software and is used to attack a system. The aim of the attack is to gain control over the system (privilege escalation on the system) or disrupt its normal operation.

Depending on the method of gaining access to vulnerable software, exploits are divided into remote and local. A remote exploit works over a network and exploits the vulnerability without any prior access to the vulnerable system. In turn, a local exploit is launched directly on the vulnerable system, requiring prior access to it. Typically, a local exploit is used to gain superuser privileges on the system.

An attack carried out by guessing all possible password combinations one by one in the hope of finding an account password. Software designed specifically to carry out such attacks is used as a tool that tries until a password is found. Thus, the use of not only letters or numbers, but also capital letters and special characters when composing passwords complicates the work of tools that perform brute force attacks, and reduces the likelihood of successful use of this attack.

Penetration testing - the purpose of this test is to check the security and reliability of the information system, to identify and eliminate system vulnerabilities. For this, attempts are made to bypass system protection using special software. Pen test helps to obtain detailed information about the existing vulnerabilities in the information system.

Malware is any code written for a specific purpose in order to damage, disclose information, compromise the security or stability of a system. Malware includes many types of malicious software: ransomware, spyware, adware, viruses, computer worms, Trojan horses, backdoors, RATs, rootkits.

Malicious software that usually locks the victim's information on his own computer using strong encryption. A payment in digital currency (cryptocurrency) is then required to give the user back control of the captured data.

Spyware is a type of malicious software that monitors user activities and transfers information to a remote cybercriminal. Spyware is used by advertising and marketing services to collect information about the location of customers. Attackers can also use spyware to steal a victim's account information or use data collection tools to harm users.

Adware is a software used to display ads on a user's device. In other words, a so-called "adware virus" is software that is one of the unwanted programs that, if possible, should not be downloaded and installed. Adware is usually downloaded to the device without the user's permission. This software prevents the user from surfing the Internet in peace by showing too many ads, banners, or automatically running promotional videos. The main purpose of adware is to generate financial income for the creators.

There are two main types of adware, depending on how it enters the user's computer, namely adware is installed on the user's device along with free or shareware or via infected sites.

A computer virus is a stealthy, self-replicating piece of software or program that spreads through infection, i.e. by placing one copy and embedding it in another program. A virus cannot work on its own and requires the launch of an embedded program for the virus to become active.

CVE (Common Vulnerabilities and Exposures, "Common Vulnerabilities and Risks") is a database of commonly known cybersecurity vulnerabilities.

Before 1999, when CVE was launched by MITRE, it was difficult to transfer information about product vulnerabilities between different databases. Each solutions manufacturer had its own base with its own naming method and a set of vulnerability parameters in finding security defects. To solve this problem, MITRE company created CVE.

The goal of the CVE program is to find, identify and classify publicly disclosed cybersecurity vulnerabilities. The CVE database was created to facilitate the information sharing about known vulnerabilities between organizations. CVE identifiers enable the cybersecurity professional to find flaw information easily in different authoritative sources using the same vulnerability identifier.

Each CVE entry consists of the following sections: CVE ID, link, description. The CVE ID begins with the prefix CVE and is written with the year in which the vulnerability was reported and the number assigned by the CNA (CVE Numbering Authorities).

CNA groups are software developers and vendors, vulnerability research groups, and other organizations authorized to add new entries to CVEs. The main CNA is MITRE, but now many organizations from around the world have CNA status. In order for a company to become a CNA, it must have a public vulnerability disclosure policy and a public resource for posting information about new security defects.

And the syntax of the CVE ID is as follows: CVE prefix - discovery year of the vulnerability - serial number of the vulnerability.

The sequence number is 4 or more digits. The identifier syntax was changed in 2015. Initially, only 4 digits were used as a serial number, that is, the maximum value of 9999 vulnerabilities detected per year. Now, 7 digits are commonly used.

Consider an example. At the end of 2021, a vulnerability was identified in Log4j. It allows malicious code to run on vulnerable systems. It has been assigned the identification number CVE-2021-44228.

If a vulnerability is included in the CVE database, it means that a solution has already been prepared for it in the form of a patch and recommendations by the software manufacturer. Therefore, the easiest way to maintain security is to download updates timely.

A flaw is declared by CVE when it meets three specific criteria:

  • The flaw can be corrected separately from any other errors;
  • The software vendor has acknowledged and documented the vulnerability as detrimental to user security;
  • The bug affects a single codebase. Deficiencies affecting multiple products are assigned multiple CVEs.

CVE is an important and necessary element on the path to improving products and maintaining user protection.

CVSS (Common Vulnerability Scoring System) is an open standard for assessing the severity of vulnerabilities in products. This standard provides a simple tool for calculating a numerical score on a ten-point scale that allows security professionals to quickly decide how to respond to a particular vulnerability. The higher the score, the faster response required.

In 2005, the first version of the standard was published, which was developed with the participation of experts from various organizations (CERT/CC, Cisco, DHS/MITRE, eBay, IBM Internet Security Systems, Microsoft, Qualys, Symantec). Further, the standard began to be supported as part of the FIRST (Forum of Incident Response and Security Teams) project. In 2007, the second version of the standard was released, in June 2015 - the third CVSSv3. The latest version of CVSS is 3.1 released in June 2019.

The scores are calculated using special formulas based on several metrics and roughly estimate how easy it is to inject an exploit into the product, that is, specially written code.

According to the CVSS standard, vulnerabilities are assessed based on a number of metrics. Three types of metrics can be distinguished:

1) Base Metrics. This includes general metrics that describe the vulnerability and are not dependent on time or specific environment. They are divided into two groups:

  • Exploitability metrics describe how easy the vulnerability could be exploited. This group includes, for example, the attack vector: some vulnerabilities could be exploited via the Internet, that is, from anywhere in the world with access to the Web, while others require physical access to a vulnerable device, which is quite difficult to obtain for a random attacker; the complexity of the attack, that is, the need of any action from the user side and the level of privileges that the attacker needs to carry out an attack.
  • Impact metrics regarding the consequences of exploitation of the vulnerability on the system and the data stored in it. For example, is it possible for the attacker to disable a system, gain access to sensitive data, modify files, and etc.

2) Temporal metrics describe external factors that may change over time. For example, the presence of an available exploit or otherwice a patch.

3) Environmental Metrics do not affect the main vulnerability assessment in any way, but they allow to determine its severity of a specific IT environment. The set of Environmental metrics includes base metrics adjusted to the conditions of a particular environment. For example, if the exploitation of a vulnerability generally requires minimal privileges, then in a particular organization, only administrators can have access to the vulnerable system. Environmental metrics also include metrics that describe how dangerous the possible consequences as a result of exploitation of a vulnerability could be for a particular organization. For example, if the company's operations will be affected by a server outage or if it has a spare server to which it is easy to switch to in the event of an incident.

CVSS is calculated based on metrics using a set of formulas. It can take a value from 0 to 10, where:

  • 9.0–10.0 — critical level of severity;
  • 7.0–8.9 — high;
  • 4.0–6.9 — medium;
  • 0.1–3.9 — low;
  • 0 - no danger.

Severity level: critical

Vulnerabilities rated critical typically have most of the following characteristics.

  • Exploitation of this vulnerability could compromise the server or infrastructure devices on the root level.
  • Direct execution, i.e. the attacker does not need special authentication credentials or details of individual victims, he doesn't need to convince the target user, for example, via social engineering, to perform any special action.

If critical vulnerabilities are discovered, we recommend to install a patch or upgrade as soon as possible if no other mitigation measures could be taken. For example, a mitigating factor might be the unavailability of a system deployment from the Internet.

Severity level: high

Vulnerabilities that fall within the high severity range typically have some of the following characteristics.

  • Vulnerability is difficult to exploit.
  • Compromise could lead to privilege escalation.
  • Compromise could result in severe data loss or permanent inoperability.

Severity level: medium

Vulnerabilities that fall within the medium severity range typically have some of the following characteristics:

  • Vulnerabilities that require an attacker to manipulate individual victims using social engineering techniques.
  • Denial of service vulnerabilities that are difficult to exploit
  • Vulnerabilities that require the attacker to be on the same local network as the victim.
  • Vulnerabilities that provide only very limited access when compromised.
  • Vulnerabilities that require user privileges to be successfully compromised.

Severity level: low

Vulnerabilities of low severity typically do not affect the operation of the system. Exploitation of such vulnerabilities typically requires local or physical access to the system.